The Audit Defense Library

Practitioner-depth analysis across federal and private compliance: FISMA and NIST RMF, FedRAMP, CMMC, federal AI governance, SOC 2, AI governance, cybersecurity, and GRC engineering. Written by a CPA, CISSP, CISA with Big 4 audit experience.

All FISMA & NIST RMF FedRAMP CMMC Federal AI Governance GovCon Compliance Federal Cybersecurity Federal Zero Trust Federal GRC Engineering AI Governance GRC Engineering Cybersecurity Cloud Security HIPAA SOC 2
HIPAA

HIPAA Encryption Requirements 2026: At Rest vs Transit

Three thousand nine hundred patients. One unencrypted laptop. One parked car. The theft triggered a breach notification to every patient, a media disclosure to local news outlets, and an OCR investigation that ended in a...

Read the Guide
HIPAA

HIPAA Risk Analysis: Stop Using the Excel Template

Organization A downloads the HHS Security Risk Assessment Tool, changes the organization name, and answers 40 yes/no questions in two hours. The spreadsheet goes into a shared drive with "FINAL" in the filename. When an...

Read the Guide
HIPAA

HIPAA Asset Inventory Requirement

How many systems in your organization touch Protected Health Information? Not the ones your IT department provisioned. All of them. The 23 AWS S3 buckets your cloud billing statement reveals. The Salesforce instance storing patient...

Read the Guide
AI Governance

AI Risk Assessment: NIST AI RMF Implementation Guide

An AI risk assessment identifies, analyzes, and treats risks specific to AI systems: bias, hallucination, data provenance, and decision accountability. The NIST AI RMF 1.0 structures the process into four functions: Govern, Map, Measure, and...

Read the Guide
Cybersecurity

NIST Cybersecurity Assessment: The 60-Day Framework Guide

NIST released CSF 2.0 in February 2024, the first major framework revision in a decade. The update added a sixth function (Govern), expanded applicability beyond critical infrastructure to all organizations, and introduced implementation tiers replacing...

Read the Guide
Cybersecurity

Incident Response Plan: Implementation Guide for Teams

Two million and thirty thousand dollars. The cost difference between organizations that test their incident response plans and those that discover their plans do not work during an actual breach. IBM's 2024 Cost of a...

Read the Guide
Cybersecurity

How to Document Security Incidents for Audits

Organization A resolved 47 security incidents last quarter. The incident log shows detailed timelines, containment actions, root cause analysis, and corrective action status for each one. The SOC 2 auditor reviewed the documentation, confirmed CC7.3...

Read the Guide
HIPAA

HIPAA Risk Assessment: Five-Step Process for OCR

Every HIPAA risk assessment I review commits the same fundamental error. The document is titled "Risk Assessment." The content is a checklist. MFA: yes. Encryption: yes. Backup: yes. A series of binary answers telling OCR...

Read the Guide
AI Governance

What Counts as PHI in AI Tools? The 2026 “Mosaic Effect” Guide

In 2000, Latanya Sweeney at Carnegie Mellon demonstrated that 87% of the U.S. population becomes uniquely identifiable from three data points: five-digit ZIP code, gender, and date of birth [Sweeney 2000]. She proved it by...

Read the Guide
AI Governance

What Is AI Governance? The 2026 Strategic Guide

AI governance is the system of policies, oversight mechanisms, and accountability structures directing how organizations develop, deploy, and monitor artificial intelligence. Three frameworks define the 2026 standard: the EU AI Act (general application August 2,...

Read the Guide
HIPAA

BAA for Google Drive

The most common HIPAA violation I encounter during healthcare practice assessments is the one nobody suspects. Not missing encryption. Not absent multi-factor authentication (MFA). A therapist, office manager, or billing coordinator sending patient intake forms...

Read the Guide
HIPAA

Do I Need a Firewall for HIPAA? (Router vs. Firewall Guide 2026)

In April 2012, a small cardiology practice in Phoenix paid $100,000 to settle an Office for Civil Rights (OCR) enforcement action targeting network security infrastructure. Phoenix Cardiac Surgery, a five-physician group, was cited for lacking...

Read the Guide
The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.